Slashdot Mirror
"Free Wi-Fi" Scam In the Wild
DeadlyBattleRobot writes in with a story from Computerworld about a rather simple scam that has been observed in the wild in several US airports. Bad guys set up a computer-to-computer (ad hoc) network and name it "Free Wi-Fi." You join it and, if you have file sharing enabled, your computer becomes a zombie. The perp has set up Internet sharing so you actually get the connectivity you expected, and you are none the wiser. Of course no one reading this would fall for such an elementary con. The article gives detailed instructions on how to make sure your computer doesn't connect automatically to any offered network, and how to tell if an access point is really an ad hoc network (it's harder on Vista).
Well, they would have a really difficult time turning my linux based portable into a zombie. I guess that would be risk free wifi for me, Yeah! Oh, and while in public, I use stunnel to a secure server. Sniff all of the data you want while I use your free wireless.
Kindness is the language which the deaf can hear and the blind can see. - Mark Twain
To avoid this, just avoid ad-hoc connections. That will work until the perps start using Infrastructure (Access Point) connections with a bridge to the real one. You can even set up Windows XP so that it won't allow you to make ad-hoc connections.
GreyPoopon
--
Why is it I can write insightful comments but can't come up with a clever signature?
Now I can take a well-configured Linux lappy to the airport, hook up through these bad guys, and make extra sure to do everything illegal, immoral, and dangerous I can think of over their pipe without a smidgen of guilt. Woo and yay!
Slashdot Burying Stories About Slashdot Media Owned
When you connect to a network, a little wizard pops up asking you if it's "Home", "Work", or "Public Location". Choose Public Location and sharing will be disabled automatically.
Thanks to Windows, they are unknowingly born every clock cycle. And so goes the easy-of-use vs. security tango.
I wonder if I use bold in my signature, people will notice my posts.
If you have a box that's permanently on the net, a machine at home that's always on, a web server, etc, set your laptop up to always tunnel its connections through it. That way, even if someone 0wnz the connection you're on, so long as your software firewall is good, you're set.
And when wi-fi becomes a universally available free commodity (who else is betting on it?) what trickery will we see then?
Or the bad guy could set a relay with the real internet and get all your passwords, that's why I use SSL in public APs. But even worse, he could emulate (and forward data to) popular sites like Gmail, Yahoo, Ebay and Paypal but without any SSL. Like, a site that looks and acts like Gmail and even has your messages but is in reality a non-encrypted site that acts as a proxy.
Connecting to the "Free Wi-Fi" and having your passwords and data sniffed is one thing, but how easy is it for the attacker to turn a Windows XP system into a zombie, merely by connecting to an attacker's wireless network?
Assumption #1. You run Windows XP, SP2, up to date with security patches
Assumption #2. You have Windows Firewall installed and configured for maximum security
Assumption #3. You are not sharing your folders on the network, or if you are, you're not allowing guest write access
(Now, I know how many Windows users do not follow #1,#2,#3 above..) but assuming they do, is a zero-day exploit required in order to zombify their PC?
linux laptop advertising as a wifi hot spot.
It runs it's own DNS and httpd.
you connect, it looks real. Log into your yahoo account with a legit looking cert, hmmm yahoo is having trouble, I'll try ebay. I logged in but it also has trouble, I'll try again.. oh it works!
Really easy, thwarts all the "this certificate does not match as you control everything the client side sees, then dump them off to your link to wifi or your cellular net connection.
you can probably get tons of real logins you are ready for collecting.
Moral of this? do not trust open accesspoints, they might not be legit.
Do not look at laser with remaining good eye.
Doesn't running Windows already turn your computer into a zombie?
I saw exactly this at the National Archives in College Park, MD. I told the local IT bubbas, but they just gave me blank stares. It was particularly disturbing because the average researcher at the archives won't have the technical sophistication to realize what's going on, and will then take their zombified system back to a university network.
eg. if I ssh to my home computer, or use access an https site am I still ok?
As long as you exchange keys with the actual end host, and not the man-in-the-middle, you're fine.
If the Man-in-the-middle tries to give you his own SSL key, your browser will throw up an error message that the key is invalid. If you click "accept key", then you're hosed and the attacker can read all your traffic.
As far as ssh goes, if you've connected to the host before, SSH will (or at least on the clients I've used) throw up a big warning message that someone is trying to hack you. If you haven't connected, no such warning will appear and if you type in your password the attacker will get your password, and everything you type in your ssh session.
AccountKiller
Help other folks out. Set yourself up as a proxy, advertise yourself as "Free Wi-Fi" too, and let everyone else (at least, everyone who connects through you) safely use the scumbag's paid wi-fi connection for free.
But if you must have some innocent fun, you really should have your machine mirror images so that they're returned upside-down. Not all of them, just a very few that meet some criteria based on a hash of the user's MAC address or something. Imagine their confusion when their buddy's laptop shows the picture normally and they're sitting there thinking, "What the...!!?"
Personally, I'd try to gather evidence and report it to the police if I felt they'd do anything worthwhile. The fact that this person's behaviour happens to be driving people towards my OSs of choice is purely incidental. You probably realise this, and I doubt that you were serious about thanking the guy, but I bet that your f****d up zealotry, morality and ideology are genuine; you really would place a microscopic (and questionable) "blow" against Microsoft over thieving scum like this escaping justice. You really think that MS-enabled crime (let alone this particular scam) is the only crime they're going to commit?
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
With Linux and the hostap driver I can set up a legitimate access point. Ad hoc isn't a necessary part of this scam, and I don't see how avoiding ad hoc networks will prevent anything.
Besides the possible risk from malware infection if you have enabled file sharing, this really is the same man-in-the-middle attack that was so prominant in the 80's and early 90's. A problem which has been mostly fixed by the adoption of SSH over telnet. And is practically non-existant over HTTP today beacuse of the use of SSL on servers. And with regards to malware, how does this differ from picking up some spyware from the pr0n site you "accidently" visited?
I see no problem here that cannot be solved by adopting the same principles that you would use for ordinary domestic internet access:
1) Turn on your firewall and close all open ports.
2) Don't send sensitive data over an unsecured network.
Nothing sucks like a Vax, nothing blows like a PowerMac G4
The network isn't the problem here, your computer's configuration is. All of my machines can safely connect to an untrusted network (and they do---my non-firewalled, non-NATted internet feed) without being turned into zombies.
The message here shouldn't be "don't connect to untrusted networks," it should be "secure your machine."
Once you do that, these guys are just being nice and giving you a free connection!
-rsw
How sure are you that you can prove that you're not involved, especially when you've been arrested and subject to police questioning? Under ideal circumstances If you were in control of things, you could probably put together a good case, but fancy playing against a prosecutor and police who genuinely believe that you were involved and want to make you look bad?
And (so the police will want to know) since you obviously knew this guy was up to no good, why didn't you report it?
Doesn't sound such a good idea now.
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
http://www.historybuff.com/library/refbarnum.html
Situation's a bit different in Europe. The airports in Budapest and Vienna have free wi-fi, and it's blazingly fast. In fact, when I recently had to fly out from Vienna, I got to the airport 36 hours early so I could get several films through Bittorrent.
It's that kind of juvenile behavior that kills off free wi-fi services. They are there for people to check itineraries, keep in touch with their friends/family/colleagues, and other minor conveniences. They don't exist for jackasses to park on for days to download movies.
"Free to use" does not mean "Free to abuse". If you want more bandwidth, pay for it yourself.
...newbie.
Wireless network cards can be set up as access points to. So just looking for if it's an ad-hoc network does not protect you. Turn off all sharing when connecting through public access points and use encryption.
There you go - free wi-fi!
Opinions expressed above are mine, and not my employees'.
This still doesn't explain about the zombification process. First of all, most file sharing is read only unless you have a password used, most home users don't really do much filesharing, but generally it's a read only thing, but second of all even if you have your entire folders mounted as read/write, how exactly does that allow this machine to turn you into a zombie? Last I heard writing files to your my documents folder (it's really difficult to share other folders than this) can not actually execute code.
I guess if your entire hard drive was shared, there is a possibility that they could write the file to a startup directory on it that automatically launches it on your next reboot . . .
This article really read as a lot of FUD to me. Possibly unpatched machines are affected, but they give a solution of disconnecting from the net. I just don't get it, the solution, it appears to me would be to oh, I don't know, patch your computer and use sane practices (like not sharing your whole hard drive as read/write/execute (apparently) with anonymous access).
Now the problem of them being able to steal credit card numbers and such is an issue. This is an issue that effects all OSes, so everyone should think bout it. however, if you check that the ssl keys you accept are valid for the site in question, then you should be alright. While they can perform a man-in-the-middle attack, that does require changing what keys a website uses (or possibly disabling encryption). As far as aim passwords and such go, well if you don't use it for important stuff, what are they going to do with it?
I read this entire article and really just want to read something from someone who knows anything about security, and not some idiot who read about something like this and proposes an even more idiotic solution. There is truth that you must be careful connecting to any wireless network that you don't know, also your machine needs to be patched etc. a little common sense goes a long way in this matter.
Phil
2) Yes.
3) The user need do nothing. If you have read/write access to C:, you can install anything you want and have it run automatically.
try this: https://mail.google.com/mail/ (gmail) It starts a secured connection, and stays secure. I use it at work - since stupid WebSense blocks all webmail accounts that don't start with a secured connection.
My Slashdot Journal! YAY!
Aside from the jackass component, how about the idiocy? Personally, I'd much rather pay for a few dvds than sit in an airport for 36 hours to get them "free".
What changed under Obama? Nothing Good
Yeah, but actually there are four legitimate free Wi-Fi groups in Portland:
1. Portland Airport Free WiFi, ssid "flypdx"
2. Personal Telco Underground WiFi Group, ssid "www.personaltelco.com".
3. Independant coffee shops, hotels, and internet cafes, various ssids
4. Metro-Fi, the new downtown and expanding out towards all of Metro area wifi cloud, ssid "MetroFi-Free". If you see "MetroFi-TestFree" this indicates an access point that isn't connected to the Internet yet but will be coming soon.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
And no, they *don't* deserve it. If there was a warning dialog which said, "Doing this might cause you to get pwn3d", you might have a point. The problem is that there's no reason to expect your average user to understand the implications involved.
Every so often, bad weather during the winter leads to a few deaths due to people using charcoal barbecues in the house. It's not reasonable to suggest those people deserve what happened to them. If they didn't understand the risk (and many people don't) they are victims of their own, reasonable ignorance. If the heat is out, your stranded at home in a blizzard, and all you have is a barbecue, what do you think your average person is going to think?
It's the same with many Windows exploits. People use the OS the way its design promotes, and develop habits accordingly (such as blindly clicking "next, next, next" during software installation). Yes, education and vigilance would stop many of the problems, but the level of education and vigilance is above and beyond what is reasonable to expect.
Blaming the user is foolish. Why not fix the OS?
Someone in the vicinity of my office (in a Chatsworth CA industrial park) was broadcasting a wireless network titled "Free Public WiFi" for the past couple of weeks, and since I'm using OS X, it appeared under my AirPort status menu as a peer-to-peer network. These come and go, and I routinely ignore them. That is -- until I saw this ComputerWorld article on Slashdot.
It could have been a coworker, or someone in an adjacent building, or someone parked on the street... the signal strength was 5 bars on a WinXP notebook one cubicle away. It could have been an intentional scammer, or a victim of a scammer's trojan, implanted via a public hotspot. So I forwarded the ComputerWorld URL to everyone in the office, summarized the scam and the risks, and asked folks to run their spyware/adware scrubbers if they had used a public hotspot recently.
And I created my own peer-to-peer network "Free Public WiFi is a CON!"
Within hours, the "Free Public WiFi" was gone. No telling who it was or what their intentions, but at least it's gone.
I can see the fnords!